[pve-devel] RFC : iptables implementation

Dietmar Maurer dietmar at proxmox.com
Wed Jan 29 07:18:51 CET 2014


> The main idea is to reduce a maximum rules lookup for performance.
> 
> 1) the forward rules are splitted by bridge, and we only check rules for tap
> devices on this bridge. This reduce a lot lookups if you have a lot of bridge
> (bridgevlan for example)
> 2) the inter-bridge routing is dropped by default.
> 3) the tap outgoing rules are always processed before incoming. We need to use
> RETURN in outgoing rules, but we can use ACCEPT in incoming rules.
>    That good, because we can stop lookups when ACCEPT.

Looks good for me. But we need some scripts in order to test that. Maybe
we can re-use code from 'pve-firewall'?




More information about the pve-devel mailing list